[FP]: CVE-2024-9329 shown for Old JAXB Runtime 4.0.7

[mo7ty]

Package URl

pkg:maven/com.sun.xml.bind/jaxb-impl@4.0.7

CPE

cpe:2.3:a:eclipse:glassfish:4.0.7:::::::*

CVE

CVE-2024-9329

ODC Integration

{"label" => "Gradle Plugin"}

ODC Version

12.2.0

Description

CVE-2024-9329, affecting "Eclipse Glassfish versions before 7.0.17", is being reported for Old JAXB Runtime » 4.0.7, when the dependecy tree is shown as:

com.sun.xml.bind:jaxb-impl:4.0.7
\--- com.sun.xml.bind:jaxb-core:4.0.7
     +--- jakarta.xml.bind:jakarta.xml.bind-api:4.0.5
     \--- org.eclipse.angus:angus-activation:2.0.3
          \--- jakarta.activation:jakarta.activation-api:2.1.4

[github-actions]

Maven Coordinates

<dependency>
  <groupId>com.sun.xml.bind</groupId>
  <artifactId>jaxb-impl</artifactId>
  <version>4.0.7</version>
</dependency>

Suppression rule:

<suppress base="true">
    <notes><![CDATA[
    FP per issue #8374
    ]]></notes>
    <packageUrl regex="true">^pkg:maven/com\.sun\.xml\.bind/jaxb-impl@.*$</packageUrl>
    <cpe>cpe:/a:eclipse:glassfish</cpe>
</suppress>

Link to test results: https://github.com/dependency-check/DependencyCheck/actions/runs/23258028651

[github-actions]

Maven Coordinates

<dependency>
  <groupId>com.sun.xml.bind</groupId>
  <artifactId>jaxb-impl</artifactId>
  <version>4.0.7</version>
</dependency>

Suppression rule:

<suppress base="true">
    <notes><![CDATA[
    FP per issue #8374
    ]]></notes>
    <packageUrl regex="true">^pkg:maven/com\.sun\.xml\.bind/jaxb-impl@.*$</packageUrl>
    <cpe>cpe:/a:eclipse:glassfish</cpe>
</suppress>

Link to test results: https://github.com/dependency-check/DependencyCheck/actions/runs/23258081426

[chadlwilson]

Approved

[github-actions]

Suppress rule has been added to the generatedSuppressions branch.